There is some implicit R0 == $0 here which may not be desired.
"CMP $0, Rx" translates to "cmpd r0, rX" which is less preferred
than "cmpdi r0, 0". Likewise, "ADDE $0, Rx" also turns into
"adde R0, Rx, Rx" which can be simplified to a similar instruction
which adds to zero with carry, "ADDZE Rx, Rx".
Change-Id: I5de17ff5b02c7c9d57daf014c7fe9420bfbeeeab
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/311372
Reviewed-by: Carlos Eduardo Seo <carlos.seo@linaro.org>
Trust: Carlos Eduardo Seo <carlos.seo@linaro.org>
Trust: Lynn Boger <laboger@linux.vnet.ibm.com>
Make all our package sources use Go 1.17 gofmt format
(adding //go:build lines).
Not strictly necessary but will avoid spurious changes
as files are edited.
Part of //go:build change (#41184).
See https://golang.org/design/draft-gobuild
Change-Id: I70526bf588bf4078887e567795867ece785d666b
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/294415
Trust: Russ Cox <rsc@golang.org>
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
appengine is obsolete and superseded by purego, and gc is a more
precise tag for files that use gc-syntax assembly.
Change-Id: I716f59de772ebeee4adf4d2a432edf300122cef0
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/269920
Trust: Ian Lance Taylor <iant@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
appengine was only necessary for the legacy system based on Go 1.9, drop
that. Add purego tags instead. Remove redundant architecture tags.
Change-Id: Ib1f65a4837511e63e08c1aa43163a79cfe868e0c
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/215498
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
This CL adds the poly1305.MAC type which implements a
subset of the hash.Hash interface. With MAC it is possible
to compute an authentication tag of data without copying
it into a single byte slice.
This commit modifies the reference/generic and the
AMD64 assembler but not the ARM/s390x implementation
to support an io.Writer interface.
Updates golang/go#25219
Change-Id: I7ee5a9eadd43387cf3cd887d734c625575eee47d
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/111335
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Use the recently added CPU feature detection API rather than custom
assembly. This will need to be updated to use 'internal/cpu' when
the package is revendored into std.
Change-Id: Ia99c51c7409fe4fabcd88fdf5ff19772c1ca2257
Reviewed-on: https://go-review.googlesource.com/c/164382
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Increase the number of test vectors in this package to provide
better validation of new SIMD implementations.
Change-Id: Ia89883609e78cef53ba40a9cae41f4e0a3bccc80
Reviewed-on: https://go-review.googlesource.com/112855
Run-TryBot: Michael Munday <mike.munday@ibm.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
SIMD implementation based the on the algorithm outlined in:
NEON crypto, Daniel J. Bernstein and Peter Schwabe
https://cryptojedi.org/papers/neoncrypto-20120320.pdf
and as modified for VMSL as described in
Accelerating Poly1305 Cryptographic Message Authentication on the z14
O'Farrell, Gadriwala, et al, CASCON 2017, p48-55
https://ibm.ent.box.com/s/jf9gedj0e9d2vjctfyh186shaztavnht
name old new delta
64 485MB/s 1315 MB/s +171.58%
1K 607MB/s 4352 MB/s +616.97%
64Unaligned 485MB/s 1373 MB/s +183.09%
1KUnaligned 606MB/s 4286 MB/s +607.26%
2M 607MB/s 5529 MB/s +810.87%
Change-Id: I31ccc25ced09180d99ea5c9233f0dcdc8666fc98
Reviewed-on: https://go-review.googlesource.com/110297
Run-TryBot: Michael Munday <mike.munday@ibm.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Michael Munday <mike.munday@ibm.com>
Many websites now support HTTPS that may not at the time the code was
committed; let's use the HTTPS links where we can.
Change-Id: I7099dfa0dbb213294e65b4387f343d6e8f955b97
Reviewed-on: https://go-review.googlesource.com/47131
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
This is the test that I use to sanity-check significant changes to the
package, thus it's probably worth checking it in. Since it's very slow,
it's disabled by default.
(Note that while it stands a good chance of catching errors in 32-bit
implementations, no amount of random testing is going to get useful
coverage for 64-bit implementations. Thus it really is just a sanity
check, despite the long run-time.)
Change-Id: I95b321eec6f3026dafbbc157a7ef35a27e88d247
Reviewed-on: https://go-review.googlesource.com/36566
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Often intermediate results of poly1305 calculations are only reduced to
the range [0, 2^130). These new test vectors exercise the code that
reduces the final output to the range [0, 2^130-5).
This improves the test coverage of CL 35294 and CL 32812.
Change-Id: Ifd2f64d4668c08a396ed81db3e88969a49baf777
Reviewed-on: https://go-review.googlesource.com/35918
Run-TryBot: Michael Munday <munday@ca.ibm.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
Rather than change the value of R13 during the execution, keep R13 fixed
(after the initial prelude) and always use offsets from it.
This should help the runtime figure out what's going on if, say, a
signal should occur while running this code.
I've also trimmed the set of saved registers since Go doesn't require
the callee to maintain anything except R10 and R13.
Change-Id: Ifbeca73c1d964cc43bb7f8c20c61066f22fd562d
Reviewed-on: https://go-review.googlesource.com/31717
Run-TryBot: Cherry Zhang <cherryyz@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Cherry Zhang <cherryyz@google.com>
5f31782cfb added build constraints to
disable assembly for Go 1.6 but didn't add the needed tags to the ARM
files. Also, it's not clear that was needed as the error given in
golang/go#17424 only complains about the chacha20poly1305 package.
This change reenables the assembly for Go 1.6 in the poly1305 package.
Tested with 1.6.3 and 1.5.4.
Fixesgolang/go#17512.
Change-Id: I81b41f8810437ea327b415542402cd8ff5c8a390
Reviewed-on: https://go-review.googlesource.com/31492
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Up till now, sum_arm.s was working only because of luck. It was written
assuming that it had stack space below the current stack pointer, but Go
decrements the stack pointer in the function prelude, so it was just
writing off the end of the stack.
This change fixes the stack manipulation so that it only writes within
the bounds.
Fixesgolang/go#17499.
Change-Id: I1951b3344c21f6bd6ade79da8b96dd1bb68180db
Reviewed-on: https://go-review.googlesource.com/31443
Reviewed-by: Cherry Zhang <cherryyz@google.com>
Run-TryBot: Cherry Zhang <cherryyz@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
The ARM assembly doesn't work for NaCl on ARM because it doesn't meet
the required rules. This change disables it on ARM and also fixes the
issue that the build constraints in sum_arm.s would be ignored because
they came after the #include.
Change-Id: I6cb3815ec62ac4686a6e72f405af104293586bb6
Reviewed-on: https://go-review.googlesource.com/31264
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Since the wrapper files are called sum_𝑥.go, it makes sense that the
assembly files would be named similarly.
Change-Id: I5c515008b86c7fedd04b940d7846b84dfccdba33
Reviewed-on: https://go-review.googlesource.com/30727
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
This change updates the Poly1305 code in x/crypto to reflect some
comments from the review of
https://go-review.googlesource.com/cl/29245/.
Following this change, poly1305_arm.s will be renamed to sum_arm.s, to
match the other files here. (The review becomes confusing if that's done
in the same change as the asmfmt changes.)
Change-Id: Iddf43615eba97c975adb135aef3a814a37e9ec02
Reviewed-on: https://go-review.googlesource.com/30820
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Michael Munday <munday@ca.ibm.com>
Add the conditional subtraction of 3 from 'h2' (register R10).
Change-Id: I75615b0375f050a5cd97b968075c2992ccd1dee7
Reviewed-on: https://go-review.googlesource.com/30101
Reviewed-by: Adam Langley <agl@golang.org>
The current ARM implementation assumes that the input message
is memory aligned and so it can cause alignment fault when it
is not enabled. Also it may generate incorrect outputs in ARMv5.
This change fixes this issue by temporarily copying the input
to a local aligned space. Although there may be a better way
to handle unaligned access, this would be a safe way in all
ARM versions.
This change also added a test and benchmarks with unaligned
data. The benchmark result on RasberryPI 2 is
Benchmark64 2000000 812 ns/op 78.81 MB/s
Benchmark1K 200000 7809 ns/op 131.12 MB/s
Benchmark64Unaligned 2000000 967 ns/op 66.13 MB/s
Benchmark1KUnaligned 200000 10316 ns/op 99.26 MB/s
Change-Id: I189cc1b7bb6c67a04c9877271fb27326f2896e82
Reviewed-on: https://go-review.googlesource.com/12797
Reviewed-by: Adam Langley <agl@golang.org>
This is the same as https://golang.org/cl/154120043
Since the file textflag.h is not available on Go 1.3, the macros defined
in textflag.h are replaced with their respective value.
Fixesgolang/go#11448
Change-Id: I0d4aed67b7afe50d8e4e88915edd2cefeac4cc96
Reviewed-on: https://go-review.googlesource.com/12033
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Fix compilation of poly1305 using go tip - it currently fails with:
./poly1305_arm.s:124: cannot reference SP without a symbol
./poly1305_arm.s:161: cannot reference SP without a symbol
./poly1305_arm.s:162: cannot reference SP without a symbol
asm: asm: assembly of ./poly1305_arm.s failed
Change-Id: I797dcf3641cc881b6cc192034b693ccf58317987
Reviewed-on: https://go-review.googlesource.com/10307
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
This change adds ARMv6 assembly implementation. The referenced assembly code was
the public domain source by Andrew Moon in https://github.com/floodyberry/poly1305-opt/blob/master/app/extensions/poly1305/poly1305_armv6-32.inc.
The author has confirmed that it's ok to put it under the Go license.
Benchmark results on Raspberry Pi (ARMv6-compatible processor rev 7),
o Without ARMv6 assembly
Benchmark1K 5000 287177 ns/op 3.57 MB/s
Benchmark64 50000 38880 ns/op 1.65 MB/s
o With ARMv6 assembly
Benchmark1K 100000 15964 ns/op 64.14 MB/s
Benchmark64 1000000 1472 ns/op 43.46 MB/s
Change-Id: Iea5b0b831ac097cc6d477a8fccbf0ddb4819724c
Reviewed-on: https://go-review.googlesource.com/9765
Reviewed-by: Adam Langley <agl@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
Fixes tests when using Go tip. Without this the link steps
fails with errors like:
missing Go type information for global symbol: google3/third_party/golang/go_crypto/curve25519/curve25519.REDMASK51 size 8
LGTM=agl
R=agl
CC=golang-codereviews
https://golang.org/cl/156810043
This change alters the assembly to use FSUBD instructions such that
6l will actually emit the correct FSUBRD instructions and enables
the assembly code.
R=golang-dev, r
CC=golang-dev
https://golang.org/cl/6514044
Filippo Valsorda
Tobias Klauser
Paul E. Murphy
Russ Cox
Tamir Duberstein
Michael Munday
Lynn Boger
Andreas Auernhammer
bill_ofarrell
Kevin Burke
Adam Langley
Michael Munday
Shenghou Ma
Brad Fitzpatrick
Jungho Ahn
Alexander Neumann
Joel Sing
Marga Manterola
David Symonds
Ian Lance Taylor
Shenghou Ma